Section 15 – Secure data and applications – Configure and manage Azure Key Vault

And here goes the last section in my AZ-500 study guide, the end is coming with:

  • Create and configure Key Vault
  • Configure access to Key Vault
  • Manage certificates, secrets, and keys
  • Configure key rotation
  • Configure Backup and recovery of certificates, secrets, and keys

Create and configure Key Vault

Basics

When you create a Key vault, you will the following options and Vault name must only contain alphanumeric characters and dashes and cannot start with a number.

You have Standard and Premium pricing tiers, in example the monthly pricing with one Managed HSM pool will the following and you will only pay for what you use

Service typeRegionDescriptionEstimated monthly costEstimated upfront cost
Key VaultNorth EuropeVault: 1 operations, 1 advanced operations, 1 renewals
1 protected keys, 1 advanced protected keys
8,72€0,00€
Managed HSM Pools: 1 Standard B1 HSM Pool(s) x 31 Days2 263,66€
Support0,00€0,00€
Total2 272,38€0,00€

Soft delete protection will automatically be enabled on this key vault. This feature allows you to recover or permanently delete a key vault and secrets for the duration of the retention period. This protection applies to the key vault and the secrets stored within the key vault.

To enforce a mandatory retention period and prevent the permanent deletion of key vaults or secrets prior to the retention period elapsing, you can turn on purge protection. When purge protection is enabled, secrets cannot be purged by users or by Microsoft.

The ability to turn off soft delete via the Azure Portal has been deprecated. You can create a new key vault with soft delete off for a limited time using CLI / PowerShell / REST API. The ability to create a key vault with soft delete disabled will be fully deprecated by the end of the year.


Days to retain can be configured to between 7 to 90 days. Once it has been set, it cannot be changed or removed.

Enabling “purge protection” on a key vault is an irreversible action. Once the purge protection property has been set to “true”, it cannot be changed or removed.

Access policy

Virtual machine for deployment specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.

ARM template specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
Azure Disk Encryption permits Disk encryption to retrieve secrets from the vault and unwrap keys.

When you are adding access policy, you will the following options

Access policy permissions

Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal.

Authorized application settings performs the specified permissions on the User’s or Group’s behalf.

RBAC

But when you enable RBAC you won’t see any options, I will go thru this on the next section.

Networking

Selected networks

You can select Select network in the connectivity methods and add existing Vnet’s and allow Microsoft trusted services to bypass the the firewall

What are Microsoft trusted services?

Trusted serviceSupported usage scenarios
Azure Virtual Machines deployment serviceDeploy certificates to VMs from customer-managed Key Vault.
Azure Resource Manager template deployment servicePass secure values during deployment.
Azure Disk Encryption volume encryption serviceAllow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. This enables Azure Disk Encryption.
Azure BackupAllow backup and restore of relevant keys and secrets during Azure Virtual Machines backup, by using Azure Backup.
Exchange Online & SharePoint OnlineAllow access to customer key for Azure Storage Service Encryption with Customer Key.
Azure Information ProtectionAllow access to tenant key for Azure Information Protection.
Azure App ServiceApp Service is trusted only for Deploying Azure Web App Certificate through Key Vault, for individual app itself, the outbound IPs can be added in Key Vault's IP-based rules
Azure SQL DatabaseTransparent Data Encryption with Bring Your Own Key support for Azure SQL Database and Azure Synapse Analytics.
Azure Database for MySQLData encryption for Azure Database for MySQL
Azure Database for PostgreSQL Single serverData encryption for Azure Database for PostgreSQL Single server
Azure StorageStorage Service Encryption using customer-managed keys in Azure Key Vault.
Azure Data Lake StoreEncryption of data in Azure Data Lake Store with a customer-managed key.
Azure Synapse AnalyticsEncryption of data using customer-managed keys in Azure Key Vault
Azure DatabricksFast, easy, and collaborative Apache Spark–based analytics service
Azure API ManagementDeploy certificates for Custom Domain from Key Vault using MSI
Azure Data FactoryFetch data store credentials in Key Vault from Data Factory
Azure Event HubsAllow access to a key vault for customer-managed keys scenario
Azure Service BusAllow access to a key vault for customer-managed keys scenario
Azure Import/ExportUse customer-managed keys in Azure Key Vault for Import/Export service
Azure Container RegistryRegistry encryption using customer-managed keys
Azure Application GatewayUsing Key Vault certificates for HTTPS-enabled listeners
Azure Front DoorUsing Key Vault certificates for HTTPS
Microsoft PurviewUsing credentials for source authentication in Microsoft Purview
Azure Machine LearningSecure Azure Machine Learning in a virtual network

Private endpoints

When you start creating a Private endpoint, you will choose a location, name and Target Sub-resource, in this case it will be Vault. Microsoft is using service tags for these. They will allow you to access service under tag and you don’t specify any IP-addresses.

Then you will specify Vnet, subnet and Private DNS. Private DNS will allow the usage with a private DNS name.

If you don’t integrate your endpoint with a DNS zone, you’ll need to create records on either your own DNS server or via host file updates on each virtual machine.

Only private DNS zones in the currently selected subscription with name ‘privatelink.vaultcore.azure.net’ will be shown. Using a private DNS zone in the same resource group as the virtual network is recommended, and if there are no existing zones that meet this criteria, one will be created.

Template

Once you are ready to deploy, you can see the template and easily learn how ARM-templates work. You could also deploy directly from the template page

Or go with manual option


Configure access to Key Vault

Authentication options

  • Application-only: The application represents a service principal or managed identity. This identity is the most common scenario for applications that periodically need to access certificates, keys, or secrets from the key vault. For this scenario to work, the objectId of the application must be specified in the access policy and the applicationId must not be specified or must be null.
  • User-only: The user accesses the key vault from any application registered in the tenant. Examples of this type of access include Azure PowerShell and the Azure portal. For this scenario to work, the objectId of the user must be specified in the access policy and the applicationId must not be specified or must be null.
  • Application-plus-user (sometimes referred as compound identity): The user is required to access the key vault from a specific application and the application must use the on-behalf-of authentication (OBO) flow to impersonate the user. For this scenario to work, both applicationId and objectId must be specified in the access policy. The applicationId identifies the required application and the objectId identifies the user. Currently, this option isn’t available for data plane Azure RBAC.

Security principal

A security principal is an object that represents a user, group, service, or application that’s requesting access to Azure resources. Azure assigns a unique object ID to every security principal.

  • user security principal identifies an individual who has a profile in Azure Active Directory.
  • group security principal identifies a set of users created in Azure Active Directory. Any roles or permissions assigned to the group are granted to all of the users within the group.
  • service principal is a type of security principal that identifies an application or service, which is to say, a piece of code rather than a user or group. A service principal’s object ID is known as its client ID and acts like its username. The service principal’s client secret acts like its password.

For applications, there are two ways to obtain a service principal:

  • Recommended: enable a system-assigned managed identity for the application.With managed identity, Azure internally manages the application’s service principal and automatically authenticates the application with other Azure services. Managed identity is available for applications deployed to a variety of services.For more information, see the Managed identity overview. Also see Azure services that support managed identity, which links to articles that describe how to enable managed identity for specific services (such as App Service, Azure Functions, Virtual Machines, etc.).
  • If you cannot use managed identity, you instead register the application with your Azure AD tenant
The Azure Key Vault authentication flow

How to?

When you open the deployed Key vault you and Access policies, you will see the following

And this is because we have RBAC enabled, so let’s dig to RBAC first

RBAC

You have and options see view Your own access, access for users, groups or Service principals and managed identities.

But also grant access to Key vault ja view all access and what is denied

From View my access you will see the default access your accounts has. My account example has Owner that is Inherited from subscription level and because I have PIM Enabled, there is also User Access Administrator permissions

Different roles

Contributor means Inherited or direct permissions but also Key Vault contributor permissions have this right.

Inherited contributor

Key Vault contributor

And here are the different roles specific to Key vault

Built-in roleDescriptionID
Key Vault AdministratorPerform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the ‘Azure role-based access control’ permission model.00482a5a-887f-4fb3-b363-3b7fe8e74483
Key Vault Certificates OfficerPerform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the ‘Azure role-based access control’ permission model.a4417e6f-fecd-4de8-b567-7b0420556985
Key Vault Crypto OfficerPerform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the ‘Azure role-based access control’ permission model.14b46e9e-c2b7-41b4-b07b-48a6ebf60603
Key Vault Crypto Service Encryption UserRead metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the ‘Azure role-based access control’ permission model.e147488a-f6f5-4113-8e2d-b22465e65bf6
Key Vault Crypto UserPerform cryptographic operations using keys. Only works for key vaults that use the ‘Azure role-based access control’ permission model.12338af0-0e69-4776-bea7-57ae8d297424
Key Vault ReaderRead metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the ‘Azure role-based access control’ permission model.21090545-7ca7-4776-b22c-e363652d74d2
Key Vault Secrets OfficerPerform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the ‘Azure role-based access control’ permission model.b86a8fe4-44ce-4948-aee5-eccb2c155cd7
Key Vault Secrets UserRead secret contents. Only works for key vaults that use the ‘Azure role-based access control’ permission model.4633458b-17de-408a-b874-0445c86b69e6

From RBAC your can add user, groups, Service principals and Managed identities

And you can check the access from role assignments

Access policies

Switching to access policies is relatively easy, just go to Access policies and dip the switch. You will get a warning stating that entities will loose access

But note this before changing

If you need to use or just trying out, you will see the following permissions available, you can set different permissions for Keys, Secret or certificate inside the Key vault as long as you remember that granularity isn’t supported, you have to define the access policies to the Key vault at top level.

With RBAC you have possibility to define access for item level.

And Microsoft also suggests you to use RBAC based permissions model instead of policies

Access policy templates to Azure roles mapping

Access policy templateOperationsAzure role
Key, Secret, Certificate ManagementKeys: all operations
Certificates: all operations
Secrets: all operations
Key Vault Administrator
Key & Secret ManagementKeys: all operations
Secrets: all operations
Key Vault Crypto Officer
Key Vault Secrets Officer
Secret & Certificate ManagementCertificates: all operations
Secrets: all operations
Key Vault Certificates Officer
Key Vault Secrets Officer
Key ManagementKeys: all operationsKey Vault Crypto Officer
Secret ManagementSecrets: all operationsKey Vault Secrets Officer
Certificate ManagementCertificates: all operationsKey Vault Certificates Officer
SQL Server ConnectorKeys: get, list, wrap key, unwrap keyKey Vault Crypto Service Encryption User
Azure Data Lake Storage or Azure StorageKeys: get, list, unwrap keyN/A
Custom role required
Azure BackupKeys: get, list, backup
Secrets: get, list, backup
N/A
Custom role required
Exchange Online Customer KeyKeys: get, list, wrap key, unwrap keyKey Vault Crypto Service Encryption User
Exchange Online Customer KeyKeys: get, list, wrap key, unwrap keyKey Vault Crypto Service Encryption User
Azure Information BYOKKeys: get, decrypt, signN/A
Custom role required

Assignment scopes mapping

Azure RBAC for Key Vault allows roles assignment at following scopes:

  • Management group
  • Subscription
  • Resource group
  • Key Vault resource
  • Individual key, secret, and certificate

Access policy to RBAC migration

There are many differences between Azure RBAC and vault access policy permission model. In order, to avoid outages during migration, below steps are recommended.

  1. Identify and assign roles: identify built-in roles based on mapping table above and create custom roles when needed. Assign roles at scopes, based on scopes mapping guidance. For more information on how to assign roles to key vault, see Provide access to Key Vault with an Azure role-based access control
  2. Validate roles assignment: role assignments in Azure RBAC can take several minutes to propagate. For guide how to check role assignments, see List roles assignments at scope
  3. Configure monitoring and alerting on key vault: it’s important to enable logging and setup alerting for access denied exceptions. For more information, see Monitoring and alerting for Azure Key Vault
  4. Set Azure role-based access control permission model on Key Vault: enabling Azure RBAC permission model will invalidate all existing access policies. If an error, permission model can be switched back with all existing access policies remaining untouched.

Manage certificates, secrets, and keys

Certificates

Key vault can be used to generate certificates or just store them for safe-keeping.

You an choose similar options than with your own Certification Authority. Validity period (Maximum 1200 months!) to key usage, it’s all there.

You can choose Integrated CAs which are managed by key vault, which include: DigiCert, GlobalSign

Lifetime action

You can see Certificate transparency, wondering what it is?

Key usage

Import a certificate

For a certificate import operation, Azure Key Vault accepts two certificate file formats: PEM and PFX. Although there are PEM files with only the public portion, Key Vault requires and accepts only a PEM or PFX file with a private key.

Secrets

When you create a secret, you will see the option to create a certificate but it isn’t available anymore, it has been moved to certificates page.


The Azure Portal currently only supports single-line secret values. Please use Azure PowerShell to set multi-line values.

From here you can also add Activate and Expiration date. Activation adds NBF and Expiration EXP property to the secret.

When you press create, you will get the following warning

We enabled the network security but didn’t add the Client IP to firewall (Microsoft please add the current client IP automatically to the column!)

Once done, success!

And lastly keys

Generate

Or import

For keys there is an excellent solution called Auto Key rotation which just came Globally available!


Configure (Auto) key rotation

Permissions required

Key Vault key rotation feature requires key management permissions. You can assign a “Key Vault Administrator” role to manage rotation policy and on-demand rotation.

For more information on how to use RBAC permission model and assign Azure roles, see: Use an Azure RBAC to control access to keys, certificates and secrets

Let’s explore the options

You have two different access policy permission models.

RBAC based
Vault Access policy

Policy based on RBAC

You have a Key Vault and will generate a new key and rotation policy to it.

And you will be displayed with the following error.

Go to Access control and add role assigment.

Add Key Vault Administrator

Here you can add Users, Groups, Service principals or even Managed identities.

What are managed identities?

I will choose users for demonstration purposes. You can check your rights from the same pane.

Then back to key rotation.

Now you can enable key rotation. In my example I chose expiration time to 1 year and rotation time for 355 days as there has to be lower than 358 days.

And with policy based permissions model

You have to add “Get Rotation Policy” right.

Go to Access policies and add “Get Rotation Policy”

Go back to keys and you will see the same options for adding Key Rotation.

ARM-template

You can also add Key Rotation to ARM template with the following.


Configure Backup and recovery of certificates, secrets, and keys

Prerequisites

To back up a key vault object, you must have:

  • Contributor-level or higher permissions on an Azure subscription.
  • A primary key vault that contains the secrets you want to back up.
  • A secondary key vault where secrets will be restored.

Certificates

Store it in a safe place

Deleting the certificate, ups

Open Deleted certificates

When you have the Soft-Delete enable, it’s easy

Or from backup

Secrets

Again if you have Soft-Delete enabled, it’s quite easy

Or if You have an backup

And restore the backup

Key

Again, similar process. If you have a backup, you can just restore it

And choose the file

and if you have Soft-Delete enabled, just restore it from there. Microsoft really made this easy and consistent, nice job!

Restoring the whole Key vault

Even restoring a deleted Key vault is possible, if you accidentally deleted a Key vault, it will stay in the recycle bin for 90 days!

What are the limitations for Key Vault?

Key transactions (maximum transactions allowed in 10 seconds, per vault per region1)

Key typeHSM key
CREATE key
HSM key
All other transactions
Software key
CREATE key
Software key
All other transactions
RSA 2,048-bit51,000102,000
RSA 3,072-bit525010500
RSA 4,096-bit512510250
ECC P-25651,000102,000
ECC P-38451,000102,000
ECC P-52151,000102,000
ECC SECP256K151,000102,000

Secrets, managed storage account keys, and vault transactions

Transactions typeMaximum transactions allowed in 10 seconds, per vault per region1
All transactions2,000

1 A subscription-wide limit for all transaction types is five times per key vault limit. For example, HSM-other transactions per subscription are limited to 5,000 transactions in 10 seconds per subscription.


Backup keys, secrets, certificates

Transactions typeMaximum key vault object versions allowed
Backup individual key, secret, certfiicate500

Azure Private Link integration

ResourceLimit
Private endpoints per key vault64
Key vaults with private endpoints per subscription400

Possible use cases for Key vault

SSL certificates for Apps

You can use certificates from Key Vault, which is kinda neat feature.

Customer Managed TDE

How customer-managed TDE works?

For server to be able to use TDE protector stored in AKV for encryption of the DEK, key vault administrator needs to give the following access rights to the server using its unique Azure Active Directory (Azure AD) identity:

  • get – for retrieving the public part and properties of the key in the Key Vault
  • wrapKey – to be able to protect (encrypt) DEK
  • unwrapKey – to be able to unprotect (decrypt) DEK

Requirements for configuring Azure Key Vault

  • Key vault and SQL Database/managed instance must belong to the same Azure Active Directory tenant. Cross-tenant key vault and server interactions are not supported. To move resources afterwards, TDE with AKV will have to be reconfigured. Learn more about moving resources.
  • Soft-delete and Purge protection features must be enabled on the key vault to protect from data loss due to accidental key (or key vault) deletion.
    • Soft-deleted resources are retained for 90 days, unless recovered or purged by the customer. The recover and purge actions have their own permissions associated in a key vault access policy. The Soft-delete feature can be enabled using the Azure portal, PowerShell or Azure CLI.
    • Purge protection can be turned on using Azure CLI or PowerShell. When purge protection is enabled, a vault or an object in the deleted state cannot be purged until the retention period has passed. The default retention period is 90 days, but is configurable from 7 to 90 days through the Azure portal.
  • Grant the server or managed instance access to the key vault (getwrapKeyunwrapKey) using its Azure Active Directory identity. When using the Azure portal, the Azure AD identity gets automatically created when the server is created. When using PowerShell or Azure CLI, the Azure AD identity must be explicitly created and should be verified. See Configure TDE with BYOK and Configure TDE with BYOK for SQL Managed Instance for detailed step-by-step instructions when using PowerShell.
    • Depending on the permission model of the key vault (access policy or Azure RBAC), key vault access can be granted either by creating an access policy on the key vault, or by creating a new Azure RBAC role assignment with the role Key Vault Crypto Service Encryption User.
  • When using firewall with AKV, you must enable option Allow trusted Microsoft services to bypass the firewall.

These are just couple of examples for your reference!

HSM

What is Hardware Security Module (HSM)

In order to understand Key Vault, we need to understand HSM.

HSM is a tamper proof hardware device which is specifically designed to securely store cryptographic keys. 

  • Keys can be generated within HSM, or they can also be securely imported to HSM. 
  • The keys which are generated or imported to HSM never come out of HSM boundary, and it is not possible to extract / decrypt those keys using any tool or program. Although those keys cannot be decrypted, but those keys can be used to encrypt and decrypt other keys and secrets which are stored within Key Vault.

You don’t find Manage HSM inside Azure portal, you can provisioning it with PowerShell, Azure CLI or ARM.

Azure Dedicated HSM is not a good fit for the following type of scenario:

Microsoft cloud services that support encryption with customer-managed keys , such as Azure Information Protection, Azure Disk Encryption, Azure Data Lake Store, Azure Storage, Azure SQL Database, and Customer Key for Office 365.

Microsoft has Azure dedicated HSM but that will be removed and the next generation version is.

Azure Key Vault Managed HSM

Azure SQL now supports using a RSA key stored in a Managed HSM as TDE Protector. Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs. Managed HSMs use Marvell LiquidSecurity HSM adapters.

How to enable?

Just choose the premium pricing and your done.

Methods and endpoints
Resource typeKey protection methodsData-plane endpoint base URL
VaultsSoftware-protected

and

HSM-protected (with Premium SKU)
https://{vault-name}.vault.azure.net
Managed HSMsHSM-protectedhttps://{hsm-name}.managedhsm.azure.net

Pricing for Managed HSM

StandardPremium
RSA 2048-bit keysN/A€0.863 per key per month1 + €0.026/10,000 transactions
Advanced key types1

RSA 3072-bit, RSA 4096-bit, and Elliptic-Curve Cryptography (ECC) keys
N/AFirst 250 keys€4.312 per key per monthFrom 251 – 1500 keys€2.156 per key per monthFrom 1501 – 4000 keys€0.777 per key per month4001+ keys€0.345 per key per month+ €0.130/10,000 transactions

Here is an excellent article on Managed HSM by Nicholas Kondamudi

Things to remember

What are Microsoft trusted services, maybe not needed for the exam but nice to know!

The ability to turn off soft delete via the Azure Portal has been deprecated. You can create a new key vault with soft delete off for a limited time using CLI / PowerShell / REST API. The ability to create a key vault with soft delete disabled will be fully deprecated by the end of the year.

Why to choose RBAC over Access policies and how to migrate?

Key Vault authentication options, when to use what?

Different roles for Key vault and Access policy templates to Azure roles mappings

Process of Access policy to RBAC migration

How to make Key vault secure with Networking restrictions.

How to use Key auto-rotation, excellent excellent feature!

And the limitations for Key vault

Integration with HSM to store keys securely

Thank you!

For this last post I will like to thank You all for reading and supporting. All the feedback is welcome from my audience because you are the ones that this these post are for. Raising the community, because the community raised me!

and then moving to the next one, still didn’t decide which one, could be one of the following.

In the meantime you can book time with me for MVP or technical mentoring, many have already done so. See here for more info.

#Azure #Identity #Security #sharingiscaring #Neverstoplearning

Link to main post

That's All Folks | Official Bugs Bunny Coaster | Redwolf
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published.

*

code